UK Treasury knew of US hunt through British bank data

The Bank of England told HM Treasury about the secret US surveillance of international banking transactions as long as five years ago.

The US's eager pursuit of terrorist financiers, begun within weeks of the 11 September attacks, involved a trawl through the world's financial transactions through subpoenas on the firm that handles them for private banking clients - the Society for Worldwide Interbank Financial Communication (Swift).

European authorities, including the UK's Information Commissioner, have since declared the US operation "illegal" and have begun to press financial institutions to put a stop to the warrantless and unprotected transfers of private banking data to the US authorities.

This programme remained a secret from privacy watchdogs - even from those people whose data was being handed over to US investigators - until the New York Times unearthed it last June. Yet HM Treasury knew about it for some years.

A spokesman for the Bank of England told The Register: "Swift told us in 2002 that it had agreed with the US subpoenas. We told Swift it should tell the government. We told HM Treasury. We felt they should know."

The G10 central banks, which act as Swift's oversight board, were told about the subpoenas in February 2002, European Central Bank (ECB) president Jean-Claude Trichet told the EU Parliament in October.

But the ECB had decided not to warn "other relevant authorities" about Swift's decision to give US authorities access to its international banking transactions because it believed its own responsibility for "professional confidentiality" among its members was more important.

Other European authorities like the European Data Protection Supervisor might not have been informed, but more European governments might have been aware of the illegal data trawl than just the British.

A source involved in the ongoing European investigations told The Register: "As far as I understand, some central banks I know decided to tell their governments. I've been told that it was a few countries."

The European Parliament passed a resolution this week that stated its concern that the US trawl of EU financial data had gone on so long in violation of "European and national data protection legislation" and without the proper authorities being informed.

It told the European Commission to find out if systems such as Swift's made it easier for foreign governments to commit industrial espionage at the expense of European firms. No specific reference was made to the US Treasury's subpoenas on Swift in this regard, but the example being used on the street in Brussels is Airbus.

It also endorsed the opinion of the European Data Protection Supervisor who two weeks ago said the ECB should be concerned about the privacy because if people thought their transactions weren't secure they might lose confidence in the financial system.

The ECB admitted to the Parliament in November how the "smooth functioning of the global financial system" was dependant on Swift. Indeed, it was an "indispensable precondition" for "two core central bank tasks": to maintain financial and price stability. It said privacy was the concern of the data protection authorities, but its steadfast adhesion to its confidentiality principle suggested they might have a hard time learning of similar indiscretions in the future.

HM Treasury said in a statement: "On the financial stability point/impact on business confidence, we say that there is no greater risk to the financial system that the criminal abuse of or a terrorist attack on the system."

"As you know this is a US project, and we don't comment on this or any other security matter," it added.

It suggested the Home Office would be better placed to comment about Swift's involvement in terrorist finance investigations because it was more of a security than a financial issue.

There is little privacy regulators can do about this apparent lack of transparency bar forcing banks to tell their customers what they, the Treasury and central banks had failed to tell them before: that details of their transactions might be handed over to US investigators - a little like putting a health warning on a cigarette, and perhaps a list of chemical ingredients.

This is precisely what the ECB told the commission two weeks ago that it would do: "As a user of SWIFT services, the ECB will seek the consent of individual counterparties in payment transactions...When asking for this consent, the ECB will explicitly refer to its use of SWIFT and SWIFT's database storage."

As the ECB was reprimanded for failing to tell privacy authorities when it first learned of the Swift subpoenas, and no banking clients are thought to have known that their private financial data was, via Swift, been pawed by the US Treasury, this concession appears to indicate some progress for campaigners like Privacy International, whose complaints to watchdogs across Europe lent the EU reaction to the Swift subpoenas some vigour.

Yet it only looks good on paper, as the ECB pointed out: "Payment orders from natural persons who do not consent to the use of SWIFT will not be processed."

Seeing as by the ECB's own admission there is no alternative way for banking clients to manage their international payments than via Swift, it is likely to have no impact on privacy whatsoever. As for any impact on the financial system, the British Bankers Association said there had been none. HM Treasury's secrecy appears to be vindicated. Was it right, though? ®